Skip to content

🔨 RustyHog: handle empty reports correctly to fix #10584#12129

Merged
Maffooch merged 3 commits intoDefectDojo:bugfixfrom
manuel-sommer:rework_rustyhog
Apr 7, 2025
Merged

🔨 RustyHog: handle empty reports correctly to fix #10584#12129
Maffooch merged 3 commits intoDefectDojo:bugfixfrom
manuel-sommer:rework_rustyhog

Conversation

@manuel-sommer
Copy link
Copy Markdown
Contributor

@manuel-sommer manuel-sommer commented Mar 29, 2025

@dryrunsecurity
Copy link
Copy Markdown

dryrunsecurity Bot commented Mar 29, 2025
edited
Loading

DryRun Security Summary

Documentation and code updates for the Rusty Hog parser in DefectDojo revealed potential security risks related to information exposure, metadata sensitivity, and parsing vulnerabilities in the parser implementation.

Expand for full summary

Summary: Documentation and code updates for Rusty Hog parser in DefectDojo, including method modifications, scan type expansions, and test suite refactoring.

Security Findings:

  1. Potential Information Exposure in Parser

    • Location: dojo/tools/rusty_hog/parser.py
    • Risk: Parser extracts and logs detailed metadata including commit hashes, file paths, and line numbers
    • Explanation: Sensitive information could be unintentionally disclosed through finding logs

  2. Parsing Metadata Sensitivity

    • Location: dojo/tools/rusty_hog/parser.py
    • Risk: Findings are marked with high severity by default
    • Explanation: Automatic high-severity marking could lead to potential information disclosure or misrepresentation of actual risk

  3. Input Parsing Potential Risks

    • Location: dojo/tools/rusty_hog/parser.py
    • Risk: While input validation has been improved, there are still potential parsing vulnerabilities
    • Explanation: Complex parsing logic with multiple scan types could introduce unexpected behavior or parsing edge cases

View PR in the DryRun Dashboard.

@valentijnscholten valentijnscholten changed the title 🔨 Rework RustyHog to fix #10584 🔨 RustyHog: handle empty reports correctly to fix #10584 Mar 29, 2025
@valentijnscholten
Copy link
Copy Markdown
Member

valentijnscholten commented Mar 29, 2025

I have changed the title slightly to make it more clear as it ends up in the release notes.

Maffooch
Maffooch requested changes Mar 31, 2025
View reviewed changes
Comment thread docs/content/en/connecting_your_tools/parsers/file/rusty_hog.md Outdated
@manuel-sommer @Maffooch
Update docs/content/en/connecting_your_tools/parsers/file/rusty_hog.md
a5720f0 
Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com>
@manuel-sommer manuel-sommer requested a review from Maffooch March 31, 2025 21:23
dogboat
dogboat requested changes Apr 1, 2025
View reviewed changes
Comment thread dojo/tools/rusty_hog/parser.py
valentijnscholten
valentijnscholten requested changes Apr 1, 2025
View reviewed changes
Comment thread dojo/tools/rusty_hog/parser.py Outdated
@Maffooch Maffooch requested a review from hblankenship April 7, 2025 15:59
@Maffooch Maffooch added this to the 2.45.1 milestone Apr 7, 2025
@Maffooch Maffooch merged commit 7d0f185 into DefectDojo:bugfix Apr 7, 2025
78 checks passed
@manuel-sommer manuel-sommer deleted the rework_rustyhog branch April 7, 2025 22:35
Maffooch added a commit that referenced this pull request Apr 21, 2025
@manuel-sommer @Maffooch
🔨 RustyHog: handle empty reports correctly to fix #10584 (#12129)
06f63d7 
* 🔨 Rework RustyHog to fix #10584

* Update docs/content/en/connecting_your_tools/parsers/file/rusty_hog.md

Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com>

* update

---------

Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@valentijnscholten valentijnscholten valentijnscholten approved these changes

@dogboat dogboat dogboat approved these changes

@Maffooch Maffooch Maffooch approved these changes

+1 more reviewer

@hblankenship hblankenship hblankenship approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

docs parser unittests

Projects

None yet

Milestone

2.45.1

Development

Successfully merging this pull request may close these issues.

5 participants

@manuel-sommer @valentijnscholten @dogboat @hblankenship @Maffooch